Hired by Dorsey in November 2020 to become its head of security, Peiter Zatko was better known by his hacker moniker, Mudge, and had earned renown in the tight-knit security community in the 1990s for research into a type of security vulnerability known as a buffer overflow. While many hackers shared Dorsey’s anarchistic skepticism of the government, Zatko realized that he could advocate for broader security reforms by working with the feds than by peppering them with attacks from the shadows. He took a job at the Defense Department’s research wing, DARPA, and worked with Bill Clinton’s administration to mitigate cyberattacks.
When Dorsey hired him, there was just one problem—Twitter had, just weeks earlier, hired another executive for essentially the same role. Her name was Rinki Sethi, and while she didn’t have Zatko’s industry prestige, she had experience running security organizations. Sethi was told to report to Zatko.
A power struggle quickly unfolded. Both were charged with patching the company back together after a bruising hack in July 2020, when a group of teenagers commandeered the site. To her new employees, Sethi seemed sharp-elbowed and suspicious of her staffers, often micromanaging them. She quickly drew up a list of people she wanted to fire, alienating longtime employees. Zatko had prestige, but his employees suspected he had checked out from security at the height of his fame in the ’90s and didn’t have a working grasp of modern security systems.
Both Zatko and Sethi embarked on land grabs, trying to wrest parts of the security organization for themselves. Sometimes they assigned conflicting work, and employees didn’t know which executive they were supposed to be following—the one the CEO preferred or the one who actually managed them. Some Twitter security workers were particularly suspicious of Zatko’s deep ties to the government, which Twitter’s staff largely viewed as another adversary to be prevented from spying on users. The former DARPA official appeared on video calls with a folded American flag and military trophies displayed in the background.
It was no secret that Zatko and Sethi were at odds, and the executives quickly launched competing complaints against each other with the human resources department questioning each other’s ethics. Within a year, it was obvious the arrangement wasn’t working.
Zatko, at least, seemed to realize that the tide was turning against him. He appealed to Agrawal, asking the new chief executive to come visit him at home in New Jersey during Agrawal’s holiday trip to the East Coast. Agrawal initially agreed to the sit-down but then put the meeting off, saying he was unable to make time during his trip. But Zatko used his access to Twitter’s systems to check the travel arrangements for Agrawal’s security detail and found no last-minute adjustments. He believed Agrawal was lying to him.
By January 2022, Agrawal was ready to act. In one of his first moves as chief executive, he decided to fire both Zatko and Sethi and start fresh.
In a last-ditch effort to save his job, Zatko appealed to the board of directors, claiming that Agrawal had blocked him from briefing the board about the extent of Twitter’s security problems. Thousands of employees had broad access to Twitter and could take down the site if their accounts were compromised, he warned. And such a compromise was likely, Zatko continued, because the employees weren’t installing regularly scheduled security updates that would protect their devices from being hacked. Zatko argued that the gaping holes ran counter to what Twitter had been telling the Federal Trade Commission for years—that it had a robust security program and could be trusted with its users’ personal data.
“I joined because I felt an ‘attachment to mission,’ ” Zatko wrote in a plaintive email to Pichette that February, several weeks after his dismissal. “I’m different from a lot of the world that way.”
Zatko extracted a $7 million settlement from Twitter in June, after his lawyers argued that his firing was unjustified. But he was wounded and watched from the sidelines as Musk buffeted the company. He believed that Agrawal was toying with Musk as the engineer had done with him. He hadn’t overseen Twitter’s bot tallies, but Zatko had asked around about it while at Twitter. He didn’t think Agrawal was being honest about the scale of the problem.
The former security executive signed on with Whistleblower Aid, a nonprofit legal organization, and the group agreed to help him submit a complaint to Congress, the FTC, and the SEC. The securities regulator paid awards to whistleblowers whose claims led to enforcement actions, so Zatko stood to make a tidy sum on top of his Twitter settlement. Whistleblower Aid ensured that they would help his claims go far and wide. On August 23, the group did just that, coordinating news stories of Zatko’s whistleblower report in The Washington Post and on CNN.
Twitter’s security program was a complete disaster, Zatko claimed. The company had always struggled to secure user data. At first, it grew too quickly, and its databases were held together with virtual bits of tape and string. Then, hackers recognized its influence over global discourse. It became too enticing a target to pass up. The FTC intervened in 2011 and had kept watch over the company ever since.
The agency’s ongoing oversight of Twitter gave regulatory significance to Zatko’s complaint. The security problems meant that Twitter was still violating its 2011 agreement with the agency to clean up its act, Zatko argued.
The report was a boon for Musk and his lawyers. His case had been floundering, as round after round of discovery failed to turn up proof that Twitter had manufactured its spam estimates. But here, finally, was someone who was willing to confirm Musk’s theories. Better yet, Twitter had already paid him off handsomely in exchange for his signature on a nondisclosure agreement. It seemed as if the company had known about its bot problem all along and covered it up.
Spiro vowed to subpoena Zatko immediately. Agrawal, meanwhile, was frustrated. As far as he was concerned, Zatko was yet another problem inherited from Dorsey. He had tried to move decisively, as he always did, and clean it up quickly. But here Zatko was, using a loophole to escape his nondisclosure and splash his whistleblower complaint across the internet.
Agrawal launched a strident defense of the company to his employees, many of whom wanted to know if Zatko’s claims were true. On August 24, the day after the whistleblower complaint was published, Twitter’s chief executive summoned his workers to a company-wide meeting.
“There are accusations in there without any evidence,” Agrawal said. Twitter’s staff could hear the frustration in his voice, and to some it seemed that Agrawal was finally relatable. “Honestly, some of it just doesn’t make any sense. The narrative that has been created is false.”
Sean Edgett, Twitter’s general counsel, took the mic next. “We have never made a material misrepresentation to a regulator, to our board, to all of you,” he said. “We are in full compliance with our FTC consent decree.”
Twitter’s top security and privacy executives, Damien Kieran and Lea Kissner, debunked Zatko’s allegations one by one. Twitter had more work to do on its security, but things were not so desperate, they said. By the end of the meeting, most employees were reassured that the former executive wasn’t credible—after all, it had been his job to fix Twitter’s security problems, and instead he’d taken a massive payout and walked away.
But Spiro and Musk’s team of lawyers wasted no time. On August 29, a week after Zatko’s claims were published, they wrote to Twitter to break off the deal again. His suggestion that Twitter had misled the FTC was reason enough to end the acquisition, even if Musk’s concerns about bots turned out to be nonsense, Musk’s legal team argued. “These violations would have material, if not existential, consequences to Twitter’s business,” Ringler wrote in a fresh breakup letter.
Spiro also worked Zatko’s claims into the lawsuit, demanding that Musk be allowed to walk away from the deal because the damning whistleblower report revealed Twitter had misled the public about its user numbers, which the company referred to as monetizable daily active users, or mDAUs.
“Stunning events over the last week, however, have revealed that the misrepresentations regarding mDAU were only one component of a broader conspiracy among Twitter executives to deceive the public, its investors, and the government about the dysfunction at the heart of the company,” Musk’s lawyers wrote to the court in mid-September. “The Musk Parties and Twitter’s many other investors were sold a different company than the Twitter that actually exists—one that was more valuable, more popular, more secure, and more compliant with governing law.”
Chancellor McCormick agreed that Zatko’s claims should be incorporated into the trial but seemed somewhat skeptical of Musk’s entire approach. In a hearing about the whistleblower report, as Musk’s side argued that there would have been no way for them to find out about Zatko if he had not come forward publicly, McCormick gently offered a reality check.
“We’ll never know, will we?” she said lightly. “There was no due diligence.”
As the October trial date approached, McCormick was becoming increasingly concerned about the media firestorm and the security risks it could bring to her court. Her staff arranged for a secret entrance on a loading dock, where Musk could come and go without being seen. They also worried about mysterious graffiti that appeared outside the courthouse and around Wilmington, Delaware, that made cryptic reference to the case. “Dievest,” a tag in bright Twitter-brand blue paint read, splashed on the wall of the parking garage used by McCormick and other staffers. “Twitr paid.” Was it a backing message for Musk? A threat? A signal of support for Twitter? McCormick threatened to come into work with a power washer and remove the graffiti herself before the owner of the garage buffed out the strange message.
With the trial date looming, Twitter’s leadership became more and more optimistic that they would win. Musk’s excuses for vacating the deal were too thin to hold up in court. Throughout the litigation, Savitt had braced himself for surprises, knowing Musk would find more cards to play. While the Zatko report was a challenge, Savitt thought it would take more than a disgruntled former employee to crack the merger agreement.
Musk’s best path to escape owning Twitter was for the board itself to recommend that shareholders vote against the deal. But on September 13, the board took the deal to Twitter’s shareholders, who voted overwhelmingly—98.6 percent—in favor of it. Twitter’s stock was puttering along at about $41 per share, and Musk’s offer of $54.20 was too good to refuse. All that was left was the looming trial.